{ "type": "Domain", "indicator": "neashell1.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/neashell1.com", "alexa": "http://www.alexa.com/siteinfo/neashell1.com", "indicator": "neashell1.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3637358699, "indicator": "neashell1.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "63fcc40dc61f21260d830fdb", "name": "TA569: SocGholish and Beyond", "description": "TA569 is a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload known as SocGholish. In the past few months researchers have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. Changes include an increase in the quantity of injection varieties, as well as payloads deviating from the standard SocGholish \u201cFake Update\u201d JavaScript packages.", "modified": "2023-03-29T14:02:58.543000", "created": "2023-02-27T14:54:04.724000", "tags": [ "SocGholish", "ta569", "sczriptzzbn", "Initial Access Brokers" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "solarmarker", "display_name": "solarmarker", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 422, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 217, "is_author": false, "is_subscribing": null, "subscriber_count": 386641, "modified_text": "1159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fc6dfa5a75c6105e62838c", "name": "TA569: SocGholish and Beyond | Proofpoint US", "description": "Find out more about Proofpoint, the world's leading cybersecurity company, in a series of online resources and webinar webinings. and information on how to protect your people, data and brand.", "modified": "2024-04-12T14:10:43.087000", "created": "2023-02-27T08:46:50.465000", "tags": [ "netsupport", "socgholish", "bec", "javascript", "redline", "ta569", "strong", "proofpoint", "sczriptzzbn", "netsupport rat", "beyond", "english", "learn", "rats", "local", "solarmarker", "august", "protect", "small", "tools", "february", "service", "redline stealer", "icedid", "stealer", "unknown", "hades", "back", "lockbit", "sanctions", "wastedlocker", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond", "https://x.com/ajmeese7/status/1748137181988667622?s=20" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 160, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 25 }, "indicator_count": 224, "is_author": false, "is_subscribing": null, "subscriber_count": 866, "modified_text": "779 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641dca4956bddac52c6b9fe8", "name": "Phishing Lures Used To Drop Malware", "description": "An attack campaign used various injections and traffic distribution systems (TDS) to drop commodity malware including RedLine Stealer, SocGholish, NetSupport, and SolarMarker. Compromised websites and phishing emails with malicious links were used as the initial infection vectors. Various themes were used to convince users to visit the sites including fake browser, security software, and DDoS protection updates and unsolvable captcha puzzles. The Trellix Threat Intelligence Group (TIG) gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports.", "modified": "2023-04-23T16:04:24.392000", "created": "2023-03-24T16:05:29.119000", "tags": [ "https", "netsupport", "socgholish", "bec", "javascript", "redline", "ta569", "strong", "proofpoint", "sczriptzzbn", "netsupport rat", "beyond", "english", "learn", "rats", "local", "solarmarker", "august", "protect", "small", "tools", "february", "service", "redline stealer", "icedid", "stealer", "unknown", "hades", "back", "lockbit", "sanctions", "wastedlocker", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 31, "FileHash-SHA1": 30, "FileHash-SHA256": 31, "URL": 11, "domain": 19, "hostname": 159 }, "indicator_count": 281, "is_author": false, "is_subscribing": null, "subscriber_count": 247, "modified_text": "1134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fd5dd8d01c11570ad7e6de", "name": "TA569 Inject Websites To Distribute SocGholish Malware", "description": "", "modified": "2023-03-30T01:02:06.013000", "created": "2023-02-28T01:50:15.145000", "tags": [], "references": [ "February 28th, 2023 - CryptoGen Cyber Threat Intelligence - TA569 Inject Websites To Distribute SocGholish Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 31, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 236, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "1159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fd5ddb6ea002849d3fcee6", "name": "TA569 Inject Websites To Distribute SocGholish Malware", "description": "", "modified": "2023-03-30T01:02:06.013000", "created": "2023-02-28T01:50:19.405000", "tags": [], "references": [ "February 28th, 2023 - CryptoGen Cyber Threat Intelligence - TA569 Inject Websites To Distribute SocGholish Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 31, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 236, "is_author": false, "is_subscribing": null, "subscriber_count": 503, "modified_text": "1159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fda20a5957603e94f0ffb6", "name": "TA569: SocGholish and Beyond", "description": "", "modified": "2023-03-29T14:02:58.543000", "created": "2023-02-28T06:41:14.761000", "tags": [ "SocGholish", "ta569", "sczriptzzbn", "Initial Access Brokers" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "solarmarker", "display_name": "solarmarker", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "63fcc40dc61f21260d830fdb", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 217, "is_author": false, "is_subscribing": null, "subscriber_count": 189, "modified_text": "1159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fe472ce41e914efa085a72", "name": "TA569: SocGholish and Beyond", "description": "A569 is a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload known as SocGholish. In the past few months Proofpoint researchers have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. Changes include an increase in the quantity of injection varieties, as well as payloads deviating from the standard SocGholish \u201cFake Update\u201d JavaScript packages. Such changes, and the frequency of said changes, are likely in response to two things: efficacy data collected during the attack chain and profitability.", "modified": "2023-03-29T14:02:58.543000", "created": "2023-02-28T18:25:48.809000", "tags": [ "SocGholish", "ta569", "sczriptzzbn", "Initial Access Brokers" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "TA569", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "solarmarker", "display_name": "solarmarker", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "63fcc40dc61f21260d830fdb", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 217, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64058f7276747541caf87ea1", "name": "TA569: SocGholish and Beyond", "description": "", "modified": "2023-03-29T14:02:58.543000", "created": "2023-03-06T07:00:02.955000", "tags": [ "SocGholish", "ta569", "sczriptzzbn", "Initial Access Brokers" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "solarmarker", "display_name": "solarmarker", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "63fda20a5957603e94f0ffb6", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 217, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "1159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond", "February 28th, 2023 - CryptoGen Cyber Threat Intelligence - TA569 Inject Websites To Distribute SocGholish Malware.pdf", "https://x.com/ajmeese7/status/1748137181988667622?s=20" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Socgholish", "Redline", "Netsupport rat", "Solarmarker", "Icedid" ], "industries": [] }, "other": { "adversary": [ "TA569" ], "malware_families": [ "Bec", "Javascript", "Socgholish", "Netsupport", "Redline", "Netsupport rat", "Solarmarker", "Icedid" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "63fcc40dc61f21260d830fdb", "name": "TA569: SocGholish and Beyond", "description": "TA569 is a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload known as SocGholish. In the past few months researchers have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. Changes include an increase in the quantity of injection varieties, as well as payloads deviating from the standard SocGholish \u201cFake Update\u201d JavaScript packages.", "modified": "2023-03-29T14:02:58.543000", "created": "2023-02-27T14:54:04.724000", "tags": [ "SocGholish", "ta569", "sczriptzzbn", "Initial Access Brokers" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "solarmarker", "display_name": "solarmarker", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 422, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 217, "is_author": false, "is_subscribing": null, "subscriber_count": 386641, "modified_text": "1159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fc6dfa5a75c6105e62838c", "name": "TA569: SocGholish and Beyond | Proofpoint US", "description": "Find out more about Proofpoint, the world's leading cybersecurity company, in a series of online resources and webinar webinings. and information on how to protect your people, data and brand.", "modified": "2024-04-12T14:10:43.087000", "created": "2023-02-27T08:46:50.465000", "tags": [ "netsupport", "socgholish", "bec", "javascript", "redline", "ta569", "strong", "proofpoint", "sczriptzzbn", "netsupport rat", "beyond", "english", "learn", "rats", "local", "solarmarker", "august", "protect", "small", "tools", "february", "service", "redline stealer", "icedid", "stealer", "unknown", "hades", "back", "lockbit", "sanctions", "wastedlocker", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond", "https://x.com/ajmeese7/status/1748137181988667622?s=20" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 160, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 25 }, "indicator_count": 224, "is_author": false, "is_subscribing": null, "subscriber_count": 866, "modified_text": "779 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641dca4956bddac52c6b9fe8", "name": "Phishing Lures Used To Drop Malware", "description": "An attack campaign used various injections and traffic distribution systems (TDS) to drop commodity malware including RedLine Stealer, SocGholish, NetSupport, and SolarMarker. Compromised websites and phishing emails with malicious links were used as the initial infection vectors. Various themes were used to convince users to visit the sites including fake browser, security software, and DDoS protection updates and unsolvable captcha puzzles. The Trellix Threat Intelligence Group (TIG) gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports.", "modified": "2023-04-23T16:04:24.392000", "created": "2023-03-24T16:05:29.119000", "tags": [ "https", "netsupport", "socgholish", "bec", "javascript", "redline", "ta569", "strong", "proofpoint", "sczriptzzbn", "netsupport rat", "beyond", "english", "learn", "rats", "local", "solarmarker", "august", "protect", "small", "tools", "february", "service", "redline stealer", "icedid", "stealer", "unknown", "hades", "back", "lockbit", "sanctions", "wastedlocker", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 31, "FileHash-SHA1": 30, "FileHash-SHA256": 31, "URL": 11, "domain": 19, "hostname": 159 }, "indicator_count": 281, "is_author": false, "is_subscribing": null, "subscriber_count": 247, "modified_text": "1134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fd5dd8d01c11570ad7e6de", "name": "TA569 Inject Websites To Distribute SocGholish Malware", "description": "", "modified": "2023-03-30T01:02:06.013000", "created": "2023-02-28T01:50:15.145000", "tags": [], "references": [ "February 28th, 2023 - CryptoGen Cyber Threat Intelligence - TA569 Inject Websites To Distribute SocGholish Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 31, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 236, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "1159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fd5ddb6ea002849d3fcee6", "name": "TA569 Inject Websites To Distribute SocGholish Malware", "description": "", "modified": "2023-03-30T01:02:06.013000", "created": "2023-02-28T01:50:19.405000", "tags": [], "references": [ "February 28th, 2023 - CryptoGen Cyber Threat Intelligence - TA569 Inject Websites To Distribute SocGholish Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 31, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 236, "is_author": false, "is_subscribing": null, "subscriber_count": 503, "modified_text": "1159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fda20a5957603e94f0ffb6", "name": "TA569: SocGholish and Beyond", "description": "", "modified": "2023-03-29T14:02:58.543000", "created": "2023-02-28T06:41:14.761000", "tags": [ "SocGholish", "ta569", "sczriptzzbn", "Initial Access Brokers" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "solarmarker", "display_name": "solarmarker", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "63fcc40dc61f21260d830fdb", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 217, "is_author": false, "is_subscribing": null, "subscriber_count": 189, "modified_text": "1159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fe472ce41e914efa085a72", "name": "TA569: SocGholish and Beyond", "description": "A569 is a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload known as SocGholish. In the past few months Proofpoint researchers have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. Changes include an increase in the quantity of injection varieties, as well as payloads deviating from the standard SocGholish \u201cFake Update\u201d JavaScript packages. Such changes, and the frequency of said changes, are likely in response to two things: efficacy data collected during the attack chain and profitability.", "modified": "2023-03-29T14:02:58.543000", "created": "2023-02-28T18:25:48.809000", "tags": [ "SocGholish", "ta569", "sczriptzzbn", "Initial Access Brokers" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "TA569", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "solarmarker", "display_name": "solarmarker", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "63fcc40dc61f21260d830fdb", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 217, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64058f7276747541caf87ea1", "name": "TA569: SocGholish and Beyond", "description": "", "modified": "2023-03-29T14:02:58.543000", "created": "2023-03-06T07:00:02.955000", "tags": [ "SocGholish", "ta569", "sczriptzzbn", "Initial Access Brokers" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "solarmarker", "display_name": "solarmarker", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "63fda20a5957603e94f0ffb6", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 7, "domain": 19, "hostname": 159 }, "indicator_count": 217, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "1159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "neashell1.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "neashell1.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780302394.4015148 }